Security questions

Alessandra_Saviotti · February 8, 2022, 4:31pm

hello team,
can anyone help me address these questions:

Are ‘deep dive’ security scans possible to reveal intrusions, behavioral anomalies, and unknown threats to the website?
Are Content Security Policies (CSP) in place that can detect & mitigate types of attacks, i.e., XSS and data injections?
Are SSL certificates in place for encrypting Internet traffic and verifying your server identity?

I have received this from a potential client (University), and already explained we use Backlendless and have all the required policies and roles for access control in place

Thank you

mark-piller · February 8, 2022, 5:24pm

Hi Alessandra,

Please see below:

We have policies in place that would restrict anyone to get into our system outside of the ways and means provided by the platform and described in the documentation. We provide the security mechanisms for you to restrict access to your data by setting up a security policy for your app. If the security is not in place and someone accesses your application via API, we would not be able to detect that since it would be just a regular API call.

We have security policies in place and our system already stops attacks. However, if someone uses API to access data that you have not secured, it would appear as a regular API call.

Yes, all communication with our servers is encrypted and SSL certificates are in place.

Regards,
Mark

Alessandra_Saviotti · February 8, 2022, 5:32pm

thanks a lot Mark!

Alessandra_Saviotti · October 5, 2022, 4:18pm

hello @mark-piller, some more questions here from another client, if you could provide any additional information, thank you:

Have you undergone a SSAE 18 / SOC 2 audit?

Have you completed the Cloud Security Alliance (CSA) CAIQ?

Have you received the Cloud Security Alliance STAR certification?

Do you conform with a specific security standard framework (e.g. ISO 27001)?

is the system compliant with NIST SP 800-171?

Are you using a web application firewall (WAF)?

Are your systems scanned for vulnerabilities?

Any third party assessments?

Do you have a SOC 2 type 2 report available?

Does your organization have physical security controls and policies in place?

Do you have physical access control and video surveillance?

Do you enforce network segmentation between trusted and untrusted networks?

Are you utilizing a stateful packet inspection (SPI) firewall?

Do you use any IDS/IPS system to monitor for intrusions?

Are you employing next generation persistent threat (NGPT) monitoring?

Apologies for the many questions, and thank you in advance for any input you can provide

Alessandra

mark-piller · October 5, 2022, 9:37pm

I sent you an email with the answers.

Regards,
Mark

parley-burnett · November 17, 2023, 3:51pm

Hi @mark-piller , Can you also send me the same email? Specifically, looking for ISO 27001 and SOC 2.

mark-piller · November 17, 2023, 4:19pm

Done

Paulo_Mira · July 19, 2024, 9:19am

Hello Mark.

We’re currently evaluating to start a few projects with backendless.
We also have a component oriented ERP that we may want to migrate to backendless.
I’m going through all the training resources and soon we’ll be starting.
This platform looks fantastic and well thought - congratulations!
However, since we’re based in Spain, EU, we have to address specific issues related to security and data privacy.
I wonder if you could also send me this info, in particular the one related to ISO and Soc2 certifications.

Thanks in advance,

Best regards,

Paulo

mark-piller · July 19, 2024, 1:59pm

Hi Paulo,

Thank you for your kind words.

At the present moment, we do not have ISO or SOC2 certifications.

Regards,
Mark

Paulo_Mira · July 19, 2024, 2:25pm

Hi Mark.

Thank you for your prompt answer.
Given that there is no certifications, is the only alternative to go to the on-premises mode and deploy somewhere here in Europe?
I saw that backendless has hosting in Europe and I imagine it has a client base here.
Is it possible to know other backendless cloud use cases (in Europe) and know how did they address these compliances?
Thanks again for your help,

Paulo

mark-piller · July 19, 2024, 2:54pm

Hi Paulo,

Yes, our data center is in the EU and is GDPR compliant (we’re running out of a data center in France).

There are plenty of customers in Europe. Some decided to do their audit; others developed their trust with us. Hosting Backendless on your servers is also an option; the Community Edition of Backendless Pro is available free of charge (support and upgrades cost extra, though).

Regards,
Mark

Paulo_Mira · July 19, 2024, 8:45pm

Hi Mark.

Ok, it looks clear to me now.
We’ll start with your cloud in Europe for now, and we will have time to consult with out legal consultants to validate these options.
Again, thanks very much for your help.

Best regards,

Paulo